When it comes to requesting firewall rules, network zones, open ports, or any security need, the process is often done via a ticketing system. Then, when the request is fulfilled, it is up to the requestor to make sure that it is correct. Usually, this is done once or twice and then life goes on.
As more requests come in and the environment keeps constantly changing because of infrastructure refreshes it becomes nearly impossible to show that the changes have not circumvented or completely altered the original policies.
For most configuration management options available today (like Puppet, Chef, or Ansible), the task of validating firewall rules and policies gets back to rudimentary tests using network utilities. Cognitive Ops Security uses our Network and Firewall Rules validation tool, taking the pain out of this task, and providing a continuous view of compliance through automated testing.
First, we plug into the firewall request and provide an automated, up-to-date view showing the current status of how the infrastructure has been deployed.
Given a firewall request for an application or CBS, Cognitive Ops Security then runs a series of checks to test the implementation. We look at reachability using ping, traceroute, and nmap to scan for open ports, and nslookup to check DNS. All of the results are documented so that you can easily search for firewall rules and applications with batch validation.
Our easy-to-use dashboard allows you to quickly drill down to deviations from the defined policies and provides a history of tests performed and deviations detected. The testing schedule is completely configurable, so you can specify both test sequences and frequency.